"security" flaw? revealing plaintext provider user

Discussion in 'General Discussion' started by tbl, Feb 3, 2005.

  1. tbl

    tbl Guest

    hello there,

    just flashed to hypertWRT. nice additions ;-)

    but actually there's the following security flaw (not only in hyperWRT i think) - maybe it was already posted 1001 times:

    using the administration -> managment -> command shell (or telnet ... or "ping hack" or whatever u like)

    PID Uid Stat Command
    1 0 S init noinitrd
    2 0 S [keventd]
    3 0 S [ksoftirqd_CPU0]
    4 0 S [kswapd]
    5 0 S [bdflush]
    6 0 S [kupdated]
    7 0 S [mtdblockd]
    59 0 S httpd -S
    414 0 S resetbutton
    432 0 S tftpd -s /tmp -c -l
    449 0 S /tmp/ppp/redial 30
    452 0 S pppoecd vlan1 -u myusername -p mypassword -r 1492
    464 0 S udhcpd /tmp/udhcpd.conf
    467 0 S dnsmasq -h -i br0 -r /tmp/resolv.conf
    475 0 S process_monitor
    483 0 S cron
    559 0 R ps -a

    452 0 S pppoecd vlan1 -u myusername -p mypassword -r 1492

    myuserame --> my plaintext providerusername
    mypassword --> my plaintext providerpassword

    actually having an intruder who 1. hacked wlan and 2. got access to the webinterface is a big problem. but, if this nice guy can also access my internetprovider username & password it's getting seriously ugly.

    i forgot .... i'm parani0d ;) (that's why wlan is deactivated by default *g*)
  2. boiler

    boiler Network Guru Member

    Yes, I have noticed that "feature" also. Is there any way to avoid having this info displayed?
  3. Avenger20

    Avenger20 Network Guru Member

    You can't encrypt this info as it needs to be send in plain text to your provider. Just make sure your password is secure.

    Viewing the source (with notepad) of the index.asp page might reveal the password in plain text as well.
  4. boiler

    boiler Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice